Vulnerability Management, Patch/Configuration Management

Critical ‘Cellbreak’ vulnerability in Grist-Core allows remote code execution

A critical security flaw, codenamed Cellbreak and tracked as CVE-2026-24002, has been disclosed in Grist-Core, an open-source relational spreadsheet-database. This vulnerability could allow for remote code execution, turning a spreadsheet into a significant security risk, according to a recent report by The Hacker News.

Discovered by Vladimir Tokarev, the Cellbreak vulnerability (CVSS score: 9.1) is a Pyodide sandbox escape. It allows malicious formulas to execute OS commands or run host-runtime JavaScript, collapsing the boundary between cell logic and host execution. The flaw stems from Grist's Python formula execution within Pyodide, which uses a blocklist approach that can be bypassed. This enables attackers to escape the sandbox, gain filesystem access, expose secrets, and potentially access database credentials and API keys.

The vulnerability has been addressed in Grist version 1.7.9, released on January 9, 2026. Grist has moved Pyodide formula execution under the Deno JavaScript runtime by default, but users should avoid the GRIST_PYODIDE_SKIP_DENO setting if untrusted formulas are used.

Source: The Hacker News

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds